Wavyzz/dolibarr
2
0
Fork 1
mirror of https://github.com/Dolibarr/dolibarr.git synced 2025-12-07 18:18:18 +01:00
Code Issues Packages Projects Releases Wiki Activity

Update functions.lib.php

Browse Source
This commit is contained in:
Laurent Destailleur
2017-11-02 09:58:22 +01:00
committed by GitHub
parent f904c46a10
commit 6ea558b639
1 changed files with 27 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
htdocs/core/lib/functions.lib.php
View File

@@ -517,24 +517,31 @@ function GETPOST($paramname, $check='alpha', $method=0, $filter=NULL, $options=N
if (preg_match('/[^0-9,]+/i',$out)) $out=''; if (preg_match('/[^0-9,]+/i',$out)) $out='';
break; break;
case 'alpha': case 'alpha':
if (!is_string($out)) if (! is_array($out))
return $out; {
$out=trim($out); $out=trim($out);
// '"' is dangerous because param in url can close the href= or src= and add javascript functions. // '"' is dangerous because param in url can close the href= or src= and add javascript functions.
// '../' is dangerous because it allows dir transversals // '../' is dangerous because it allows dir transversals
if (preg_match('/"/',$out)) $out=''; if (preg_match('/"/',$out)) $out='';
else if (preg_match('/\.\.\//',$out)) $out=''; else if (preg_match('/\.\.\//',$out)) $out='';
}
break; break;
case 'san_alpha': case 'san_alpha':
$out=filter_var($out,FILTER_SANITIZE_STRING); $out=filter_var($out,FILTER_SANITIZE_STRING);
break; break;
case 'aZ': case 'aZ':
$out=trim($out); if (! is_array($out))
if (preg_match('/[^a-z]+/i',$out)) $out=''; {
$out=trim($out);
if (preg_match('/[^a-z]+/i',$out)) $out='';
}
break; break;
case 'aZ09': case 'aZ09':
$out=trim($out); if (! is_array($out))
if (preg_match('/[^a-z0-9_\-\.]+/i',$out)) $out=''; {
$out=trim($out);
if (preg_match('/[^a-z0-9_\-\.]+/i',$out)) $out='';
}
break; break;
case 'array': case 'array':
if (! is_array($out) || empty($out)) $out=array(); if (! is_array($out) || empty($out)) $out=array();
@@ -543,12 +550,15 @@ function GETPOST($paramname, $check='alpha', $method=0, $filter=NULL, $options=N
$out=dol_string_nohtmltag($out); $out=dol_string_nohtmltag($out);
break; break;
case 'alphanohtml': // Recommended for search params case 'alphanohtml': // Recommended for search params
$out=trim($out); if (! is_array($out))
// '"' is dangerous because param in url can close the href= or src= and add javascript functions. {
// '../' is dangerous because it allows dir transversals $out=trim($out);
if (preg_match('/"/',$out)) $out=''; // '"' is dangerous because param in url can close the href= or src= and add javascript functions.
else if (preg_match('/\.\.\//',$out)) $out=''; // '../' is dangerous because it allows dir transversals
$out=dol_string_nohtmltag($out); if (preg_match('/"/',$out)) $out='';
else if (preg_match('/\.\.\//',$out)) $out='';
$out=dol_string_nohtmltag($out);
}
break; break;
case 'custom': case 'custom':
if (empty($filter)) return 'BadFourthParameterForGETPOST'; if (empty($filter)) return 'BadFourthParameterForGETPOST';